At a time when many organizations are seeing a rise in strategic, and sometimes even outright abusive, data subject access requests (“DSARs”), the Court of Justice of the European Union’s (“CJEU’s”) 19 March 2026 decision in Brillen Rottler (Case C-526/24) has been welcomed as a potential shift in the balance. The ruling appears to offer support for controllers dealing with requests driven less by transparency concerns and more by tactical leverage. However, a closer examination suggests that its practical implications may be more constrained in typical operational contexts.
The case arose when a data subject lodged a DSAR just thirteen days after signing up for Brillen Rottler’s newsletter on its website. The company, a German-based family run optician, refused the request on the basis that it was excessive, relying on Article 12(5) GDPR, pointing to evidence suggesting a broader pattern: subscribe, request access, then seek compensation where a request is denied or mishandled. The data subject disputed this and requested compensation. The German court dealing with the matter referred several questions to the CJEU.
In determining whether the request was “excessive,” the CJEU held that the analysis should not focus solely on whether requests are repetitive. Repetition is only illustrative; the decisive question is whether the request was made with abusive intent. The CJEU held that a combination of factors must be considered: (1) the objective circumstances of the DSAR and (2) a subjective assessment to determine if the intention behind the DSAR is not to protect the data subject’s rights under the GDPR but to gain an advantage by artificially creating the conditions for a claim for compensation.
The CJEU found that the data subject was seeking to engineer a damages claim rather than to obtain meaningful access to personal data. In particular, the CJEU highlighted the data subject’s publicly documented pattern of subscribing to newsletters and rapidly submitting access requests, followed shortly thereafter by compensation claims, as evidence that the request to Brillen Rottler was part of a deliberate and abusive strategy to claim damages rather than a genuine attempt to exercise the data subject’s access rights. The CJEU’s decision therefore confirmed that data controllers may refuse a DSAR as “excessive” under Article 12(5) of the GDPR in the exceptional circumstances where abusive intent is proven, even where a data subject submits a request for the first time.
UK-based controllers familiar with the use of DSARs as pre-action disclosure tactics may view this decision as a welcome clarification consistent with UK case law and ICO guidance, both of which have noted the tactical use of DSARs but make clear that such use, on its own, does not render a request manifestly unfounded or excessive. The evidential burden, however, is challenging to meet, because controllers must “unequivocably” demonstrate that the request reflects an improper purpose.
To demonstrate this, a controller would need a strong factual context that many organisations may struggle to assemble. Public reporting and third-party accounts may be relevant, but may not be dispositive. In Brillen Rottler, the company relied on publicly available material, including reports, blogs, and lawyers’ newsletters highlighting the data subjects apparent modus operandi suggesting a documented pattern of similar claims, supported by other indicators tied to the request (such as the quick turnaround between signing up with Brillen Rottler then submitting the request and filing a damages claim). This fact pattern may not often present itself so clearly.
For controllers, the decision provides a clearer articulation of when a request may cross the line into abuse. It qualifies the widespread assumption that the first request is always “safe” and offers a principled route for the truly abusive edge cases. But the exception is narrow. Organisations will still need to manage DSAR risk through process and documentation rather than relying on abuse as a routine basis for refusal.
For data subjects, genuine access rights remain firmly protected. If the decision deters abusive requests, that may in turn leave organisations better able to focus time and resources on legitimate ones.
What this decision affirms is that, just like other EU rights, GDPR rights cannot be abused.